Computerworld - In all my career, whether in the public or private sector, I have never seen a top-down information security plan in place. In other words, I've seen nothing that would show that someone at the highest levels of the organization is thinking about information security and has integrated it into the mission, goals and objectives of the organization. Instead, information security has developed -- or should we say stumbled along? -- from the bottom up, with IT managers or infosec managers simply trying to get individual projects approved and implemented.
So it came as a surprise this week when a template for an information security plan appeared in my in-box, with a note from my chief to fill in the blanks and have it back to him within a week. This was a real top-down effort: The governor had issued an executive order requiring that the state's chief information security officer (CISO) gather plans from all the state agencies.
Setting the Pace
Now, I guess you could say I'm a bottom-up kind of person, because I usually set the pace for information security initiatives rather than wait for someone to hand them down. I would have to take a look at this template and see how my bottom-up approach meshed with this top-down directive.
After a quick perusal of the document, I realized that it had been generated by the National Institute of Standards and Technology. NIST has done a great job of supplying such templates for government bodies. My only complaint is that they are more like rough starting points than definitive guides. Of course, I don't know how you could publish a definitive guide when it comes to anything related to technology, since the rate of change is phenomenal and there are so many variations on the theme.
You have to give the state CISO a pat on the back for even trying to bring myriad agencies into some form of compliance with federal and state guidelines.
I was most curious to know if "filling in the blanks" of the document was going to show our agency lacking in any important areas. We have a plan, but it resides in my mind. Now I was faced with an exercise that would force me to document and audit our information security efforts.
First up was the stated purpose of the plan: to document the security controls that are in place or planned, delineate responsibilities and expected behavior, identify state and individual agency technical assets, and establish a means of
Free Insider GuideCopyright © 1994 - 2012 Computerworld Inc. All rights reserved. Reproduction in whole or in part in any form or medium without express written permission of Computerworld Inc. is prohibited. Computerworld and Computerworld.com and the respective logos are trademarks of International Data Group Inc.
